IRM Advanced Risk max, min, avg nad sum_calculated_ale

Jerold Servi_o · ‎01-12-2023

Does anyone know how these four fields for sn_grc_profile table are being filled? max_calculated_ale, min_calculated_ale, avg_calculated_ale and sum_calculated_ale. I found a script include that seems to do it but upon further analyzation and following the flow it ends up with a function that isn't getting called anywhere. Any help with this is greatly appreciated. Thank you.

Community Alums · ‎01-12-2023

Hi @Jerold Servi_o ,

sn_grc_profile table is nothing but Entities table.

To understand the fields in ask, we will have to go back to understand Risk Statements (Classic Risk management).

Starting with New York, risk managers can create hierarchies that include different types of risk (operational risk, IT risk, or strategic risk). Once the underlying risks are assessed, the risk scores are automatically rolled up across the risk statement hierarchy, providing better tactical and strategic decision-making.

The Tolerance Status and the Calculated Score are based on the Calculated Annual Loss Expectancy (ALE) of the underlying risks:

Sum of calculated ALE
Average calculated ALE
Maximum calculated ALE
Minimum calculated ALE

These values are "qualitative values" which is Manually filled.

Jerold Servi_o · ‎01-12-2023

Hi Sandeep,

All four fields are manually filled or is it calculated based on other fields in the table?

Community Alums · ‎01-12-2023

Hi @Jerold Servi_o ,

There is a module called Risk Criteria in the Admin section of the Risk App. That is where the records that drive the risk criteria matrix are stored. The baseline comes with a 5x5 matrix. You have a set of records for Impact, a set for Likelihood and then a set for score. You enter both the qualitative and quantitative values in the matrix. The quantitative values are needed to drive the ALE calculations. Even if you don't have good detailed quantitative info, hopefully you can enter values at more general level.

ServiceNow intends for customers to update the records in this table. You can add records if you want more levels or just change the values. Just keep the Impact $$ in line with the $$ values in the score records.

You can always come back and change these values - so you may want to play around with it.

Also,

Risk Rollup and Tolerance form
Field	Description
Expected ALE	Annual Loss of Expectancy (ALE) refers to the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE). Expected ALE is the expected value of the ALE for the risk statement. Enter currency and amount for the expected ALE. Note: This value must be less than or equal to the Maximum acceptable ALE.
Sum of calculated ALE	This calculation is based on the sum of calculated ALE of all the underlying risks of the risk statement and its children risk statements.
Maximum calculated ALE	This calculation is based on the maximum of calculated ALE of all the underlying risks of the risk statement and its children risk statements.
Maximum acceptable ALE	Threshold value for the ALE for the risk statement. Note: This value must be greater than or equal to theExpected ALE. This value has an impact on the Tolerance status field.
Average calculated ALE	This calculation is based on the average of calculated ALE of all the underlying risks of the risk statement and its children risk statements.
Minimum calculated ALE	This calculation is based on the minimum of calculated ALE of all the underlying risks of the risk statement and its children risk statements.
Calculated Score	The corresponding score for the calculated ALE: Low Med High

Community Alums · ‎01-12-2023

Hi @Jerold Servi_o ,